03-11-07

The russian cybermafia identified : Russian business network - Block them

Ukraine is to cybercrooks what Turkye is for hackers : heaven or a world where you can do everything you have always dreamed off without any danger of being caught by the government as long as you leave them alone and only target foreigners.

One visit to their sites can bring tens to hundreds of malicious downloads seen and unseen behind and upfront your screen. And around 3 to 4 million people are being lured to their sites a month ? If they continue like that they will get richer than the other multimillion dollar cybercrook firm Cool Web Search.

They are very powerful crooks. They have launched the mpack attack against the Italian web infecting more than 10.000 sites in a few days with all kinds of malicious downloads visitors received and installed if they weren't protected. Mpack is one of the most professional online crimeware packs for sale. And if you really try to hurt them businesswise they will let some hackers force a very targeted attack on you as the Bank of India experienced. This was proof that targeted attacks by highly professional hackers is not something to underestimate if you are the victim. You only know it afterwards because the attack was so limited at the start that you didn't notice (oh, one virus or one computer doing strange) but after some time you won't know what hit you.

They lure people with links and advertising to fake antispyware and antivirusware that also promises to scan your machine (for vulnerabilities to use yeah). You should really warn the people in your network that they do not download such software or let these servers scan their machines.

If you wanna do it, use the big names, each has an online free scan services and if you look for free personal use antivirus there is avg and antivir and some others that are widely known. spybot search and destroy for antivirus.

Very useful listings can be find here  and here and if you really like to block them totally out of your network or protect your users the complete way than you will find enough information here to do it. There are some ukrainan legitimate users but probably you don't need them and if they wanna be on the same network as those crooks, than it is their choice. If they were really that interested they would sue or change hosting. This is more difficult for the crooks as they have built up a whole network of servers and services and I am not sure other ISP's are very happy to take them on, even if they throw much money around. Everybody is for sale, but being blackwholed by the cybercommunity has the risk that if you need help against an attack or because you are victim of a disaster, they will just standby and say 'good riddance'.

For the moment they are like parasites that try to get into a network and than infect it. They mirror themselves in other networks and try to do the same. Or the networks cut out the cancer or the cancer takes over slowly the body or makes it very sick as it spreads cyberinfections over the whole network it has infiltrated.

More blocking info

iframecash com = 38.97.225.135 = Hiding within Cogent Communications (DC, US) moved back onshore to the US from Aki Mon Telecom

iframecash net = 66.29.87.11 = Hiding within Net Access Corporation (NJ, US) - along with many (what look like) bank phishing domains

anonymous-service (dot) com = 67.19.24.170 = within ThePlanet com (US) & proxy registered via Global Net Access (US) - also key domains
adulthosting (dot) ru, aspmedia (dot) net, sexbomba (dot) ru. webmoney-hosting (dot) net

76service com = 66.232.122.239 = still within Noc4hosts Inc (FL, US) and proxy registered via Global Net Access - also key domains:
firstoceanicbank (dot) net, gamesboard (dot) ru, hydrometeocenter (dot) net, newpulses (dot) com, odeku (dot) net, putany (dot) net, sosnovsky (dot) net

and here  

Something is different. Sometimes they change domainnames like men drink been when they are together (using the taste formulae) but here it seems they are keeping the sites, site-names and structure and just change the IP adresses. For once you are not running behind IP adresses.

best blog  http://rbnexploit.blogspot.com/ 

ISP's and hosters should become member of this group to have more detailed information they can act on http://groups.google.com/group/russianbusinessnetwork

10:01 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

31-10-07

hack of the week : met.wallonie.be

http://www.zone-h.org/component/option,com_mirrorwrp/Item...

and now it says that

Site indisponible !

Le site patrimoine.met.wallonie.be est actuellement en maintenance, et devrait revenir en ligne dans la semaine du 5 au 9 novembre 2007.
Because the problem is that you can't be all that sure that even if they only defaced one page of your portal they didn't have access to other parts of your portal but didn't use them yet or that they didn't install backdoors. So the clean-up act must take much more time.
The fact that it takes that long proves that they didn't think they could fall victim and that they probably didn't have the necessary clean backups.

00:24 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

30-10-07

What could be done by the gateway defenders of the Belgian Internet

It is a good exercise. Take that a few thousand zombies from all over the world attack a list of Belgian website to compromise them or to take them out (ddos). How would you react ?

Well there should be plans for three centers in the case of a cyberattack. They have totally different tasks and should have different people - enough people to be on permanent standby as long as the attack endures.

1. Communication : where will the networkadministrators and journalists find information about the developing situation ? Infomration that should be correct and verified and without any hyperbole. It should also give a list of all the patches and tricks that are being used and the workarounds. This should go very very fast.

2. Take-out center : where would all the information be concentrated about webservers and services that are being used in the attack and that have to be taken out or blocked at the first gateways to the Belgian Internet.  Internaitonal coördination is also necessary here. Internally Belgian compromised webservices should be taken out as fast as possible. This should be verified but very fast.

3. Prosecution center : where would all the forensic information arrive so that official - eventually international - complaints can be launched. In the case of such an attack this would be necessary if you would to treat this as a government-level problem in which the Turkish government has to act. This should be first very well verified before being handed over as evidence. The procedure and the information needed should be set up now to communicate at the start of the attack to the Information and take-out center.

09:21 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

Looking for a turkish language IT co-blogger

I do not speak turkish, but I have that list with Turkish hacker sites that seem interesting if you wanne have a better view on what the Turkish hacker clans are preparing. If it is being prepared it will be prepared there and the discussions among them about attacking this or that target can be interesting to know what the probability will be of such an attack.

Remember for the moment we - as networkadministrators - are all on our own. There is no Internet Storm Center in Belgium - even if the Belgian Telecom Law has foreseen one. This internet storm center would coordinate and interpret all the information they would get from different resources about announced attacks and those taken place and would give us a local belgian view of what to expect and what is happening.

I hope meanwhile that our national intelligence service has some Turkish language security researchers keeping an eye on the Turkish hackers clans. Or would they say like after 9/11 that they don't have enough foreign language speaking people to foresee and correctly interpret what is being said and done ?

So if there is a turkish IT knowledgable blogger that doesn't have himself anything to do with hacking, than you can contact me. The turkish hacker clans are roughly accountable for more than 75% off all defacements in Belgium.

08:57 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

It is not because the cyberattack hasn't taken place yet

That the member of the Turkish hacker clan that proclaimed the threat is playing golf. For the moment he or the name of the clan he said he belonged to are waging attacks on the Belgian cyberinfrastructure that are being seen. But they are still defacing numerous sites everywhere else around the world. So they still have all the firing power they would need to launch such an attack.

That in Belgium authorities and security people are playing sitting duck and just waiting to see if something will happen. Have the impression that some people are starting to follow up on the story. In the best case they are studying what happened during the big scale attacks against other countries and have plans ready or are setting them up. Responding to such wide scale attacks without a plan and a coordination would be totally irresponsable. It would multiply the economic impact of such an attack by .........

A worst case scenario is that they are now making an inventory of the sites and infrastructure to attack and are scanning. After that they can wait for the next release of windows patches (and an exploit against unpatched machines at the latest a few days later) or are waiting for a new zero day exploit coming on the black market (for sale). Next week may be critical. If there are no political or military events that change the context, the situation may cool down after that if next week no major attack takes place. (which means 'only' 5 to 20 Belgian .be websites hacked every few days).

In the best case scenario they have understood that another such attack against an European country would do no benefit at all for Turkye.  It will not get them any sympathy for their 'cause' against the PKK and it will not make a good impression while you are negotiating a better 'membership-or-somthing-like-that' deal with the European Community of which the institutions are placed in Brussels, Belgium....  You do not need to be a general to understand this.

So in colours I would say Yellow in Sans terms. Prepare yourself and watch out. If something big happens, it would be between now and the end of next week without any change in the political context. For the rest, control your firewall, your logs, patch your machines, close down the applications, change standard passwords, upgrade older machines, make backups, set up a procedure who to contact and what to do and what everyone should do if something goes wrong and test next week the time you would need to patch all your machines as fast as possible. In that case this announcement is a good case for an exercise. Better be prepared than sorry. (ps I am not a believer in end-of-the-digital-world-conspiracies )

08:49 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

29-10-07

vao.be was hacked and reported in the news

No news yet that a Turkish hacking storm may be on the horizon, although the warning has been sent to the media.

Meanwhile this example should awaken some - but less than a pre-alert.

So, lets look at the hack
First it is being done by Briam - a very Turkish name. (sic)
Secondly the contact address is mail.ru in Ruland. So forget asking any information over there.
Thirdly there is no mention of other Turkish hackers or clans or websites.
Fourth the language is not the normal nationalistic Turkish slogans.
So maybe it is a lone Turkish cybersoldier and maybe it has been done from a Belgian IP address and we can see an arrest in the coming hours or days. And he will be another stupid belgian hacker who forgot that in Belgium the  cyberlaw is in its place and being used by the cybercops.

15:57 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

major Internet backbone global crossing facing huge dificulties today

Network problems on a major backbone: Global Crossing

During the day we were receiving messages regarding the problem with one of the major backbone providers - Global Crossing whose fiber optic network covers more than 100,000 route miles, reaching six continents, 60 countries and more than 600 major cities. They are some problems experienced on the following routes - from Global Crossing to Internap, Level3, Savvis, SBC, Verizon, XO. This is the cause that many websites during the day are experiencing problems with availability and latency.

12:55 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |